 | Level: Intermediate Ehab AbuShmais (ehaba@us.ibm.com), Advanced Technical Services Engineer, IBM
12 Jan 2006 IT security is a vital component of business success. Guessing passwords is one of the most common attack methods that a system experiences. Therefore, controlling, managing, and monitoring your application password-restriction policy is essential. This article provides you with a step-by-step password validation deployment method for SystemBuilder™ security.
The following article will utilize all available SB+ security validation routines and flags that are not documented in the SB+ reference manual or the SB+ administration manual. You can use the example programs provided to deploy a comprehensive password control solution step-by-step.
Step 1: Add the following 2 items to the DMSECURITY file:
1. VALIDATE.LOG
- In attribute 1 of this item, specify the maximum number of retries to be allowed with each login attempt. SB+ will continue to default to 3 if this field is left blank.
- In attribute 2, specify the name of the user subroutine to call whenever an incorrect password is entered. This user subroutine will be called every time an incorrect password is entered at the SB+ login prompt. To use the example subroutine provided below, enter USER.LOG here as the subroutine name.
This subroutine has two arguments: UserID and Attempt #.
- To make this change take effect, set the (DMCONT) SB.CONTROL control flag to 1. If this flag is not set, the user subroutine will not be invoked.
Note: The number of password retries applies system-wide -- processes like User and Group security, Login, and Keyboard timeout will also use it. The user subroutine needs to declare the two arguments (as in "SUBROUTINE USER.LOG(UID, ATTEMPT)"). The user subroutine must have an entry (catalog pointer) in the VOC.
2. VALIDATE.USER
- In attribute 1 of this item, specify the name of the user subroutine to call. This user subroutine will be called after the correct password has been entered at the SB+ login prompt. To use the example subroutine provided below, enter USER.CHECK here as the subroutine name.
This subroutine has two arguments: UserID and Err. The Err flag has four return values:
- ERR = 0: OK, no error.
- ERR = 1: Error, try again.
- ERR = 2: Error, fatal, log user off.
- ERR = 3: Error, try again but REDRAW SCREEN.
Note: The user subroutine needs to declare the two arguments (as in "SUBROUTINE ADDITIONAL.USER.CHECK(UID, ERRNO)"), and must have an entry (catalog pointer) in the VOC.
Step 2: Create the following subroutines in the BP (Basic Programs) file, or in the file of your choice:
Listing 1. Code for CHECK.PASS
SUBROUTINE CHECK.PASS(NEWPASS,VALID.FLAG)
*
$INCLUDE DMSKELCODE COMMON
$INCLUDE DMSKELCODE STANDARD.EQU
*
* Validate password is more than 6 characters and less than 50
*
L = LEN(NEWPASS)
IF L < 6 OR L > 50 THEN
CRT; CRT; CRT "PASSWORD MUST BE MORE THAN 6 CHARACTERS AND LESS THAN 50"
VALID.FLAG = 1
RETURN
END ELSE VALID.FLAG = 0
*
* Validate that password is a mix of numbers + upper case + lower
* case + spcial charcters
*
C = 0; CNT1 = 0; CNT2 = 0; CNT3 = 0; CNT4 = 0
LOOP WHILE C # L DO
C = C + 1
CH = NEWPASS[C,1]
IF CH = "" THEN
RTN.FLAG = '0'; RETURN
END
IF (SEQ(CH) >= 65) AND (SEQ(CH) <= 90) THEN CNT1 = 1; *CRT "UPPER CASE"
IF (SEQ(CH) >= 97) AND (SEQ(CH) <= 122) THEN CNT2 = 1; *CRT "LOWER CASE"
IF (SEQ(CH) >= 48) AND (SEQ(CH) <= 57) THEN CNT3 = 1; *CRT "NUMBER"
IF (SEQ(CH) >= 33) AND (SEQ(CH) <= 47) THEN CNT4 = 1; *CRT "SPECIAL CHAR 1"
IF (SEQ(CH) >= 58) AND (SEQ(CH) <= 64) THEN CNT4 = 1; *CRT "SPECIAL CHAR 2"
IF (SEQ(CH) >= 91) AND (SEQ(CH) <= 96) THEN CNT4 = 1; *CRT "SPECIAL CHAR 3"
IF (SEQ(CH) >= 123) AND (SEQ(CH) <= 126) THEN CNT4 = 1; *CRT "SPECIAL CHAR 4"
* Add all flags to make sure all requirment are met
IF CNT1 + CNT2 + CNT3 + CNT4 = 4 THEN VALID.FLAG = 0
REPEAT
IF CNT1 + CNT2 + CNT3 + CNT4 # 4 THEN
VALID.FLAG = 1
CRT; CRT; CRT "MUST USE MIX CASE AND USE NUMBER AND SPECIAL CHARACTERS"
END
RETURN |
If you use the following two routines, three consecutive incorrect authentication attempts will deactivate the user ID, until an admin resets the count of those attempts (using something similar to the paragraph process example shown in Listing 4). Please feel free to edit and customize the code to your personal preferences.
Listing 2. Code for USER.LOG
SUBROUTINE USER.LOG(UID,ATTEMPT)
*
$INCLUDE DMSKELCODE COMMON
$INCLUDE DMSKELCODE STANDARD.EQU
*
OPEN "DMSECURITY" TO SEC ELSE CRT "CAN NOT OPEN DMSECURITY"
READ USER.REC FROM SEC,'~':UID ELSE CRT "CAN NOT READ USER ID"
*
USER.REC<41> = USER.REC<41>+ 1
WRITE USER.REC ON SEC,'~':UID
RETURN |
Listing 3. Code for USER.CHECK
SUBROUTINE USER.CHECK(UID,ERRNO)
*
$INCLUDE DMSKELCODE COMMON
$INCLUDE DMSKELCODE STANDARD.EQU
*
OPEN "DMSECURITY" TO SEC ELSE CRT "CAN NOT OPEN DMSECURITY FILE"
READ USER.REC FROM SEC,'~':UID ELSE CRT "CAN NOT READ USER ID"
*
IF USER.REC<41> >= 3 THEN
ERRNO = 2
* Prevent user from logging in because they had 3 wrong password attempts
CRT; CRT "CONTACT YOUR SYSTEM ADMINISTRATOR"
END ELSE
* Reset the retries counter for nex time
USER.REC<41> = 0
WRITE USER.REC ON SEC,'~':UID
ERRNO = 0
END
RETURN |
Process Paragraph to reset the counter of authentication attempts:
Listing 4. Code for RESET.PWD
LOCAL USER.REC, UID
USER.REC = ''
UID = '~':@PARAM
IF @PARAM = '' THEN
DISP 3, "Must provide a , then USERID after the process name"
EXIT X
ELSE
@RTN.FLAG = 0
END
*
READ USER.REC FROM "DMSECURITY",UID
IF @RTN.FLAG THEN
DISP 3, @PARAM:" Does not exist!"
ELSE
USER.REC<41> = 0
WRITE USER.REC ON "DMSECURITY",UID
END
@PARAM = '' |
Note: To change the password while logged on, execute the following process:
CHANGE.PWD
Step 3: Edit the item PASSWORD.VALIDATION in DMSECURITY to look like this:
*CHECK.PASS
(instead of **BYPASS)
Note: The **BYPASS is the default setting and means no password validation will be performed. If you specify the subroutine name with no asterisk (*) preceding it, the subroutine will be responsible for password validation.
If you use just one asterisk (*) with no subroutine name, SB+ password validation will perform the validation listed below. The single asterisk at the beginning of *CHECK.PASS indicates that SB+ password validation will be used, and will not allow:
- Passwords that contain a sequence of letters or numbers of 3 or more, such as ABC, or 123 (error message: PASSWORD MUST NOT CONTAIN SEQUENCES).
- Passwords that contain repetitive characters of 3 or more, such as using the same letter 3 times in a row, like AAA (error message: PASSWORD CONTAINS CHARACTERS THAT ARE TOO REPETITIVE).
- Passwords that contain a comma (error message: PASSWORD CONTAINS AN ILLEGAL CHARACTER).
- Passwords that are one of the last 10 passwords used for this account (error message: YOU CANNOT REUSE AN OLD PASSWORD).
Note: The old passwords are stored (in encrypted form) in user record field <11> of the DMSECURITY file. Clearing this field should allow you to use old passwords again. Please note that doing so will invalidate the record's checksum. Be sure to go into the User Security Setup screen and file the user's record again, by hitting F2. This method is okay if you only need to do this once in a while.
- Passwords that are all numeric (error message: PASSWORD MUST NOT BE NUMERIC).
- Null passwords (error message: INVALID PASSWORD).
- Passwords that are the same as the user ID (error message: PASSWORD MUST NOT BE PART OF YOUR NAME OR ID CODE).
- Passwords that have fewer than 4 characters, or more than 50 characters (error message: PASSWORD MUST BE AT LEAST 4 CHARACTERS IN LENGTH BUT LESS THAN 50 CHARACTERS).
Notes:
- Error messages 5-8 are not used if you use the CHECK.PASS example subroutine, because the validation in CHECK.PASS requires the password to be more than 6 characters.
- To prevent users from using specific passwords, add it to the list of invalid passwords in an item called PASSWORD in the file DMSECURITY.
- All unsuccessful login attempts are logged. You can check this log by using SB+ security reports from the security menu while in the SB+ Administrator account.
- To force users to change their password every 30 days, or whatever period you want, add that in the user security setup under Pwd Rollover Date. To do this for the group, go into group security setup then press F7- Logon Times.
Resources Learn
Get products and technologies
Discuss
About the author | 
| | Ehab AbuShmais is an SB+ software engineer with 11 years of experience in SB+ products support, engineering, and consulting. Ehab is the author of the book Building Applications Using IBM SB+ GUI. Ehab has a Bachelor of Science in Information Systems Engineering from Southern Polytechnic State University, and a Master of Science in Computer Information Systems from University of Denver. |
Rate this page
| |
